System and method for user enrollment in a secure biometric verification system

ABSTRACT

A computer-implemented method and system for verifying the identity of a user in an identity authentication and biometric verification system which includes collecting information from the user regarding the user&#39;s identity, which is then electronically authenticated. Upon authentication, personal information regarding the verified identity of the user is retrieved from a source database which is used to verify the identity of the user, via user interaction. Upon successful verification and authentication, biometric data regarding the user is electronically collected.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a Continuation of U.S. patent application Ser. No.14/127,103 filed on May 16, 2014, which claims priority to PCT PatentApplication No. PCT/US2012/037983 filed on May 15, 2012, which claimspriority to U.S. Patent Application No. 61/502,453 filed on Jun. 29,2011.

FIELD OF THE INVENTION

The invention relates generally to a biometric verification system, andmore specifically to a method and system for authenticating a user'sidentity.

BACKGROUND OF THE INVENTION

The present invention generally pertains to identity verificationsystems. More specifically, the present invention pertains to biometricsecurity systems that provide an enhanced defense against fraudulent useof an individual's identity to complete a transaction.

Within a typical biometric security system, there are at least twooperations, enrollment and verification. The operation of enrollmentencompasses the original sampling of a person's biographic and biometricinformation, confirmation of the identity and its owner, and thecreation and storage of a biometric template associated with theidentity (a.k.a., an enrollment template) that is a data representationof the original sampling. The operation of verification includes aninvocation of a biometric sample for the identification of a system userthrough comparison of a data representation of the biometric sample withone or more stored enrollment templates.

Biometric information is, by nature, reasonably public knowledge. Aperson's biometric data is often casually left behind or is easily seenand captured. This is true for all forms of biometric data including,but not limited to, fingerprints, iris features, facial features, andvoice information. As an example, consider two friends meeting. The onefriend recognizes the other by their face and other visible keycharacteristics. That information is public knowledge. However, a photoof that same person ‘is’ not that person. This issue similarly applies,electronically, to computer-based biometric authentication wherein acopy of authorized biometric information is susceptible to beingsubmitted as a representation of the corresponding original information.In the context of biometric security applications, what is important,what enables a secure verification, is a unique and trusted invocationof an authorized biometric.

SUMMARY OF THE INVENTION

The purpose and advantages of the invention will be set forth in andapparent from the description that follows. Additional advantages of theinvention will be realized and attained by the devices, systems andmethods particularly pointed out in the written description and claimshereof, as well as from the appended drawings.

To achieve these and other advantages and in accordance with the purposeof the invention, as embodied, the invention includes in one aspect acomputer-implemented method for verifying the identity of a user in anidentity authentication and biometric verification system. The methodincludes collecting information from the user regarding the user'sidentity (such as a passport), which is then electronicallyauthenticated. Upon authentication, personal information regarding theverified identity of the user is retrieved from a source database, whichis used to verify the user, via user interaction. Upon successfulverification and authentication, biometric data regarding the user iselectronically collected and matched to the personal informationretrieved from the source database. Another aspect of the invention mayinclude the functionality to perform scoring or qualification screeningas well as providing a user with a token on a smart card device or via acardless system.

In a further illustrated aspect of the invention, provided is anauthentication and biometric verification system adapted toelectronically couple to at least one electronic source database forauthenticating the identity of a user. The system preferably includes acentral processing system configured to receive information regardingthe identity of a user and verifying the identity of the user based uponthe received information. Upon successful verification, the centralprocessing system is further configured to retrieve from at least oneelectronic source database information relating to the user verifiedidentity to authenticate a user's identity via interaction with the userapplicant. Further provided is a biometric collection deviceelectronically coupled to the central processing system adapted andconfigured to collect biometric data from a user applicant uponsuccessful authentication of the user applicant. A payload processorcomponent is further preferably provided and electronically coupled tothe central processing system adapted and configured to convert thecollected user applicant biometric information into an electronicpayload.

BRIEF DESCRIPTION OF THE DRAWINGS

The objects and features of the invention can be understood withreference to the following detailed description of an illustrativeembodiment of the present invention taken together in conjunction withthe accompanying drawings in which:

FIG. 1 is a system level diagram of a computering environment used bythe present invention;

FIG. 2 is a system level diagram of components of the present inventionin accordance with an illustrated embodiment; and

FIGS. 3 and 4 are flow charts depicting operation of the presentinvention in accordance with the illustrated embodiment of FIG. 2.

WRITTEN DESCRIPTION OF CERTAIN EMBODIMENTS OF THE INVENTION

The present invention is now described more fully with reference to theaccompanying drawings, in which an illustrated embodiment of the presentinvention is shown. The present invention is not limited in any way tothe illustrated embodiment as the illustrated embodiment described belowis merely exemplary of the invention, which can be embodied in variousforms, as appreciated by one skilled in the art. Therefore, it is to beunderstood that any structural and functional details disclosed hereinare not to be interpreted as limiting, but merely as a basis for theclaims and as a representative for teaching one skilled in the art tovariously employ the present invention. Furthermore, the terms andphrases used herein are not intended to be limiting but rather toprovide an understandable description of the invention.

It is to be appreciated that the embodiments of this invention asdiscussed below preferably include software algorithms, programs, and/orcode residing on computer useable medium having control logic forenabling execution on a machine having a computer processor. The machinetypically includes memory storage configured to provide output fromexecution of the computer algorithm or program. Where a range of valuesis provided, it is understood that each intervening value, to the tenthof the unit of the lower limit unless the context clearly dictatesotherwise, between the upper and lower limit of that range and any otherstated or intervening value in that stated range is encompassed withinthe invention. The upper and lower limits of these smaller ranges isalso encompassed within the invention, subject to any specificallyexcluded limit in the stated range. Where the stated range includes oneor both of the limits, ranges excluding either or both of those includedlimits are also included in the invention.

Unless defined otherwise, all technical and scientific terms used hereinhave the same meaning as commonly understood by one of ordinary skill inthe art to which this invention belongs. Although any methods andmaterials similar or equivalent to those described herein can also beused in the practice or testing of the present invention, exemplarymethods and materials are now described. All publications mentionedherein are incorporated herein by reference to disclose and describe themethods and/or materials in connection with which the publications arecited.

It must be noted that as used herein and in the appended claims, thesingular forms “a”, “an,” and “the” include plural referents unless thecontext clearly dictates otherwise. Thus, for example, reference to “astimulus” includes a plurality of such stimuli and reference to “thesignal” includes reference to one or more signals and equivalentsthereof known to those skilled in the art, and so forth.

Turning now descriptively to the drawings, in which similar referencecharacters denote similar elements throughout the several views, FIG. 1depicts an exemplary general-purpose computing system in whichillustrated embodiments of the present invention may be implemented.

A generalized computering embodiment in which the present invention canbe realized is depicted in FIG. 1 illustrating a processing system 100which generally comprises at least one processor 102, or processing unitor plurality of processors, memory 104, at least one input device 106and at least one output device 108, coupled together via a bus or groupof buses 110. In certain embodiments, input device 106 and output device108 could be the same device. An interface 112 can also be provided forcoupling the processing system 100 to one or more peripheral devices,for example interface 112 could be a PCI card or PC card. At least onestorage device 114, which houses at least one database 116 can also beprovided. The memory 104 can be any form of memory device, for example,volatile or non-volatile memory, solid state storage devices, magneticdevices, etc. The processor 102 could comprise more than one distinctprocessing device, for example to handle different functions within theprocessing system 100. Input device 106 receives input data 118 and cancomprise, for example, a keyboard, a pointer device such as a pen-likedevice or a mouse, audio receiving device for voice controlledactivation such as a microphone, data receiver or antenna such as amodem or wireless data adaptor, data acquisition card, etc. Input data118 could come from different sources, for example keyboard instructionsin conjunction with data received via a network. Output device 108produces or generates output data 120 and can comprise, for example, adisplay device or monitor in which case output data 120 is visual, aprinter in which case output data 120 is printed, a port for example aUSB port, a peripheral component adaptor, a data transmitter or antennasuch as a modem or wireless network adaptor, etc. Output data 120 couldbe distinct and derived from different output devices, for example avisual display on a monitor in conjunction with data transmitted to anetwork. A user could view data output, or an interpretation of the dataoutput, on, for example, a monitor or using a printer. The storagedevice 114 can be any form of data or information storage means, forexample, volatile or non-volatile memory, solid state storage devices,magnetic devices, etc.

In use, the processing system 100 is adapted to allow data orinformation to be stored in and/or retrieved from, via wired or wirelesscommunication means, at least one database 116. The interface 112 mayallow wired and/or wireless communication between the processing unit102 and peripheral components that may serve a specialized purpose.Preferably, the processor 102 receives instructions as input data 118via input device 106 and can display processed results or other outputto a user by utilizing output device 108. More than one input device 106and/or output device 108 can be provided. It should be appreciated thatthe processing system 100 may be any form of terminal, server,specialized hardware, or the like.

It is to be appreciated that the processing system 100 may be a part ofa networked communications system. Processing system 100 could connectto a network, for example the Internet or a WAN. Input data 118 andoutput data 120 could be communicated to other devices via the network.The transfer of information and/or data over the network can be achievedusing wired communications means or wireless communications means. Aserver can facilitate the transfer of data between the network and oneor more databases. A server and one or more databases provide an exampleof an information source.

Thus, the processing computing system environment 100 illustrated inFIG. 1 may operate in a networked environment using logical connectionsto one or more remote computers. The remote computer may be a personalcomputer, a server, a router, a network PC, a peer device, or othercommon network node, and typically includes many or all of the elementsdescribed above.

It is to be further appreciated that the logical connections depicted inFIG. 1 include a local area network (LAN) and a wide area network (WAN),but may also include other networks such as a personal area network(PAN). Such networking environments are commonplace in offices,enterprise-wide computer networks, intranets, and the Internet. Forinstance, when used in a LAN networking environment, the computingsystem environment 100 is connected to the LAN through a networkinterface or adapter. When used in a WAN networking environment, thecomputing system environment typically includes a modem or other meansfor establishing communications over the WAN, such as the Internet. Themodem, which may be internal or external, may be connected to a systembus via a user input interface, or via another appropriate mechanism. Ina networked environment, program modules depicted relative to thecomputing system environment 100, or portions thereof, may be stored ina remote memory storage device. It is to be appreciated that theillustrated network connections of FIG. 1 are exemplary and other meansof establishing a communications link between multiple computers may beused.

FIG. 1 is intended to provide a brief, general description of anillustrative and/or suitable exemplary environment in which embodimentsof the below described present invention may be implemented. FIG. 1 isan example of a suitable environment and is not intended to suggest anylimitation as to the structure, scope of use, or functionality of anembodiment of the present invention. A particular environment should notbe interpreted as having any dependency or requirement relating to anyone or combination of components illustrated in an exemplary operatingenvironment. For example, in certain instances, one or more elements ofan environment may be deemed not necessary and omitted. In otherinstances, one or more other elements may be deemed necessary and added.

In the description that follows, certain embodiments may be describedwith reference to acts and symbolic representations of operations thatare performed by one or more computing devices, such as the computingsystem environment 100 of FIG. 1. As such, it will be understood thatsuch acts and operations, which are at times referred to as beingcomputer-executed, include the manipulation by the processor of thecomputer of electrical signals representing data in a structured form.This manipulation transforms the data or maintains them at locations inthe memory system of the computer, which reconfigures or otherwisealters the operation of the computer in a manner understood by thoseskilled in the art. The data structures in which data is maintained arephysical locations of the memory that have particular properties definedby the format of the data. However, while an embodiment is beingdescribed in the foregoing context, it is not meant to be limiting asthose of skill in the art will appreciate that the acts and operationsdescribed hereinafter may also be implemented in hardware.

Embodiments may be implemented with numerous other general-purpose orspecial-purpose computing devices and computing system environments orconfigurations. Examples of well-known computing systems, environments,and configurations that may be suitable for use with an embodimentinclude, but are not limited to, personal computers, handheld or laptopdevices, tablet devices, personal digital assistants, multiprocessorsystems, microprocessor-based systems, set top boxes, programmableconsumer electronics, network, minicomputers, server computers, gameserver computers, web server computers, mainframe computers, anddistributed computing environments that include any of the above systemsor devices.

Embodiments may be described in a general context of computer-executableinstructions, such as program modules, being executed by a computer.Generally, program modules include routines, programs, objects,components, data structures, etc., that perform particular tasks orimplement particular abstract data types. An embodiment may also bepracticed in a distributed computing environment where tasks areperformed by remote processing devices that are linked through acommunications network. In a distributed computing environment, programmodules may be located in both local and remote computer storage mediaincluding memory storage devices.

With the exemplary computing system environment 100 of FIG. 1 beinggenerally shown and discussed above, reference is now made to FIG. 2which depicts an illustrated embodiment of the system of the presentinvention, designated generally by reference numeral 200. With regardsto system architecture 200, system 200 is to be understood to consist oftwo primary data processing environments: (i) a backend environment,which is generally a processing system and a database of records, and(ii) a customer service environment, which preferably contains only asubset of data required to service users 290 and applicant users on aday-to-day basis. As depicted in the illustrated embodiment of FIG. 2,all connections and interactions between the systems are understood tobe handled through encrypted methods such as secure internet connections(“SSL”), virtual private networks (“VPN”) and any other similar known,or unknown methods. Additionally firewalls may be used for addedsecurity protection. It is to be understood, in accordance with theillustrated embodiments, data in transit is preferably encrypted at alltimes.

In accordance with the illustrated embodiment of FIG. 2, system 200preferably includes a central processing system 210 (preferablyencompassing components of computering system 100) operative andconfigured to manage and protect the biographic and biometricinformation used to provision the services of the system 200 to Users290 and “Benefit Providers”. It is to be understood and appreciated theterm “Benefit Providers”, for purposes of the present invention, is tobe understood to mean organizations that leverage the verificationprocess described herein to confirm user identity in order to provide aproduct or service to a User 290. For example, CLEAR® is a serviceprovider approved by the Transportation Security Administration (TSA)that performs biometric verification in order to provide the benefit ofbypassing the traditional TSA Travel Document Checker (TDC). Asdiscussed further below, central processing system 210 is preferablyadapted and configured to communicate with third party data sourceshaving information relevant, and preferably personal, to a user 290 soas to authenticate the user. An example of such a third party datasource includes, but is not limited to, LexisNexis, and other similardata sources.

Central processing system 210 is electronically coupled to a payloadprocessor system 220, a card production system 230 and member managementsystem 240, each preferably encompassing components of computeringsystem 100. Briefly, payload processor system 220 is operative andconfigured to convert User 290 biographic and biometric information intoan electronic payload that can be loaded onto a smart card or otheridentity confirmation token for use in verification processes. Cardproduction system 230 is operative and configured to create smart cardsor other tokens containing the User 290 payload. And member managementsystem 240 is operative and configured to manage User 290 informationand transactions such as biographic data updates (change of address,phone number, email, etc. . . . ) as well as billing information andtransactions. The member management system 240 may also provideinformation regarding usage and benefits.

It is to be appreciated and understood by one skilled in the art, thecentral processing system 210 is configured and operative to transmitdata with each of the payload processor system 220, the card productionsystem 230 and member management system 240 through any known suitablemeans. In the illustrated embodiment of FIG. 2, an encryptedtransmission method such as Secure File Transfer Protocol (SFTP) orSecure Socket Layer (SSL) (242, 244, 246) is employed to transmit databetween the central processing system 210, the payload processing system220, the card production system 230, and the member management system240. While the illustrated embodiment of the invention depicts acryptographic Secure Sockets Layer (SSL) 246 to transmit data betweenthe central processing system and the member management system 240 (theSSL 246 is to be understood to be only an exemplary method fortransmitting data as any suitable method may be utilized).

In accordance with the illustrated embodiment of FIG. 2, system 200further includes a plurality of kiosk devices 250 disposed in differinggeographic locations (such as airports, but not limited thereto) forenabling enrollment and identity verification, as discussed furtherbelow. For the purposes of the present invention, each kiosk device 250is to be understood to be an electronic kiosk (or computer kiosk orinteractive kiosk) housing a computer terminal preferably employingsoftware configured to enable the required user 290 enrollment andverification functionality while preventing users 290 from accessingsystem functions. It is to be appreciated and understood eachcomputerized kiosk 250 communicates with the central processing system210. Each kiosk 250 may be configured and operational to includebiometric capture devices (such as fingerprint and/or iris capturedevices, camera(s), card readers(s), trackballs, computer keyboards,pushbuttons and other typical input devices associated with interactivecomputer kiosks).

It is to be appreciated and understood by one skilled in the art, eachkiosk 250 electronically communicates with the central processing system210 using any known and suitable secure electronic method. In theillustrated embodiment of FIG. 2, a Virtual Private Network (VPN) link248 is established between each kiosk 250 and the central processingsystem 210, preferably through a firewall 246. Input devices thatcommunicate with the kiosk 250 can be physically attached to the kiosk250 or remotely communicating with the kiosk 250 to provide theinformation needed to perform enrollment or verification functions.

To aid the enrollment process, system 200 is further configured andoperative to couple to third party computering devices 260 accessible bya user 290 for enrollment purposes, as further explained below. It is tobe appreciated and understood by one skilled in the art, each thirdparty computering device 260 (e.g., a desktop or laptop computer, tabletdevice, smart phone, etc.) electronically communicates with the membermanagement system 240 using any known and suitable secure electronicmethod. In the illustrated embodiment of FIG. 2, each third partycomputering device 260 electronically communicates with the membermanagement system 240 via an internet Secure Sockets Layer (SSL)connection 262, preferably through a firewall 264.

It is to be appreciated and understood system 200 is preferablyoperative and configured to maintain remote monitoring capability of itsfield located kiosks 250 whereby monitoring and measuring of systemperformance and metrics will provide the information necessary forsystem 200 to continually evaluate the performance and effectiveness ofall components of system 200. It is to be further appreciated andunderstood, data relating to an applicant, member, and/or potentialmember 290 is not to be stored locally at a kiosk 250. That is, nopersonally identifiable information is stored in kiosks 250 or any otherfield storage devices associated with system 200 (e.g., laptops).Additionally, it is to be understood and appreciated, system 200utilizes the aforesaid encryption such as SFTP, SSL, and VPNconnections, along with protection by Firewalls, to ensure the securityof data in system 200.

With the system 200 in accordance with the illustrated embodiments ofFIGS. 1 and 2 being described above, its method and process of operationwill now be described in accordance with the illustrated diagrams ofFIGS. 3 and 4 (with continuing reference to FIGS. 1 and 2). First, withreference to FIG. 3 an exemplary enrollment process for an applicantuser 290 with system 200 will be described.

Starting at step 310, a user first preferably provides the appropriateenrollment payment information and user background/demographicinformation to system 200. This information is preferably input to themember management system 240. It is to be appreciated this informationmay be input to the member management system 240 from a user, via a usercomputering device 260 or a system kiosk 250 as illustrated in FIG. 2.In particular, the user computering device 260 preferably couples to themember management system 240 using an internet address coupling (e.g.,www.clearme.com), which coupling is preferably an SSL internet 262coupled connection, through firewall(s) 264, providing a secure andencrypted coupling.

Next, at step 320 the member management system 240 is configured andoperative to store the aforesaid user payment and billing informationalong with the user's background and demographic information necessaryfor membership information and verification purposes. The remainingportion of the user 290 input information from step 310 is preferablytransmitted to the central processing system 210. It is also to beappreciated that if a kiosk 250 is used for user enrollment purposes,the user's 290 input enrollment information is preferably transmitted tothe central processing system 210, which in turns sends userbilling/payment information and other appropriate membership informationto the member management system 240 for storage therein.

Next, to complete the enrollment process, a user 290 is preferablypresent at a kiosk 250 (or user computering device 260) whereby thecentral processing system 210 is configured and operative to send userdemographic information to the kiosk 250 the user is present at,preferably in real-time, so as to be authenticated by a user 290preferably in the presence of a system attendant for user authentication(step 330). That is, this is the process whereby the user's identity isauthenticated via data collected from external sources such as apassport, drivers license (and the like) and the successful completionof answers to questions which are specific to the user, as set forthabove. Upon such user authentication, the kiosk 250 is preferablyconfigured and operative to scan and authorize certain userdocumentation to authenticate the user 290 (step 340). For instance,each kiosk 250 may be configured and operative to only accept thoseforms of identification that Benefit Providers such as the TSA hasdeemed acceptable and that can be authenticated.

As an additional measure of security for verifying the identity of anenrolling user 290, system 200 is configured and operative to perform anauthentication user test (step 330). As mentioned above, once theidentity of the user applicant is authenticated (step 320), the centralprocessing system 210 is preferably adapted and configured tocommunicate with a remote third party data source (e.g., Lexis Nexis) toretrieve data relevant and personal to the verified identity of the userapplicant 290. This data (e.g., the amount of a mortgage or automobilepayment), is used by central processing system 210 to authenticate theuser applicant 290 so as to mitigate any instance of identity theft, asnow discussed below.

In a preferred embodiment, the aforesaid retrieved authenticating datais utilized by system 200 to formulate a quiz/test using the aforesaidretrieved authenticating data (e.g., the amount of a mortgage payment).It is to be appreciated and understood the functionality of theaforesaid authentication user test (step 330) is to strengthen theindividual authentication and enrollment requirements and furtherdecrease an imposter's ability to enroll under an alias. For instance, aquestion presented may be the amount of the user's monthly mortgagepayment and/or identify the most recent user employers. Thus, withregards to the aforementioned authentication user test (step 330),system 200 has incorporated an additional step in the secure memberenrollment process. That is, system 200 has made the successful“in-person” completion of an identity authentication test, (i.e. apersonalized questionnaire populated by commercially available data) asan additional eligibility requirement. In one embodiment, the identityauthentication test consists of posing applicants randomized questionsplus an auxiliary question. To successfully complete the quit, anapplicant user 290 preferably answers a predetermined number ofquestions correctly during a limited time period while being observed byan enrollment specialist. If an applicant/user 290 does not properlyrespond to the randomized questions and successfully complete the quiz,the applicant/user 290 is preferably not permitted to complete theenrollment process.

Upon the successful authentication of the applicant user's 290 identitydocuments and the passing of the aforesaid identity authentication test(step 330), each kiosk 250 is additionally preferably configured andoperative to collect user biometric information (e.g., fingerprints,retain/iris scan, facial image, voice and the like) (step 340).

The collected applicant/user 290 biometric information (step 340) isprovided to the payload processor system 220 (step 360). Which payloadprocessor system 220 formats a user 290 biometric template based uponthe user's collected biometric information (step 340) which is then sentto the central processing system 210 (step 350). The user 290 biometrictemplate is then preferably sent from the central processing system 210to the card production system 230 which produces a user identificationtoken such as a smartcard having embedded or links to user biometric andbiographic information using any known means (smart chip, magneticallyor optically encoded information and the like) (step 360). The useridentification token may then be issued to a user 290 for use thereof(step 370). It is to be understood and appreciated the invention is notto be understood to be limited to the use of such a user issued tokenresiding on a smart card or like device but rather may encompassmatching a user's retrieved biometric information with that previouslystored in system 200.

With reference now to FIG. 4, the process for user 290 use of theaforesaid user identification token will now be briefly discussed.Starting at step 410, an enrolled user 290 presents the useridentification token to a kiosk 250 associated with a third partyrequiring identity verification of the user 290 (e.g., airport security,admittance to an event requiring heightened security, or to a merchantdesiring to verify a client remitting payment using a credit card orother ACH type of payment). Next, the kiosk 250 is configured andoperative to confirm a biometric match between biometric data stored forthe user 290 on the user identification token or in the centralprocessing system 210 and the matching biometric features of the user290 collected at the time of verification (step 420). If there is amatch, the user's identity is verified and authenticated (step 430).

As used herein, the term “software” is meant to be synonymous with anycode or program that can be in a processor of a host computer,regardless of whether the implementation is in hardware, firmware or asa software computer product available on a disc, a memory storagedevice, or for download from a remote machine. The embodiments describedherein include such software to implement the equations, relationshipsand algorithms described above. One skilled in the art will appreciatefurther features and advantages of the invention based on theabove-described embodiments. Accordingly, the invention is not to belimited by what has been particularly shown and described, except asindicated by the appended claims. All publications and references citedherein are expressly incorporated herein by reference in their entirety.

Optional embodiments of the present invention may also be said tobroadly consist in the parts, elements and features referred to orindicated herein, individually or collectively, in any or allcombinations of two or more of the parts, elements or features, andwherein specific integers are mentioned herein which have knownequivalents in the art to which the invention relates, such knownequivalents are deemed to be incorporated herein as if individually setforth. For instance, while the above illustrated embodiments makereference to a user token dedicated for use of a user's identificationin an airport environment, other embodiments encompass using a tokendedicated for another purpose such as a credit or debit card whichincorporates the biometric authentication features mentioned above,along with the aforesaid secure enrollment process (FIG. 3).

The above presents a description of a best mode contemplated forcarrying out the present invention identity authentication and biometricverification system and method, and of the manner and process of makingand using the identity authentication and biometric verification systemand method, in such full, clear, concise, and exact terms as to enableany person skilled in the art to which it pertains to make and use thesedevices and methods. The present invention identity authentication andbiometric verification system and method is, however, susceptible tomodifications and alternative method steps from those discussed abovethat are fully equivalent. Consequently, the present invention identityauthentication and biometric verification system and method is notlimited to the particular embodiments disclosed. On the contrary, thepresent invention identity authentication and biometric verificationsystem and method encompasses all modifications and alternativeconstructions and methods coming within the spirit and scope of thepresent invention.

The descriptions above and the accompanying drawings should beinterpreted in the illustrative and not the limited sense. While theinvention has been disclosed in connection with the preferred embodimentor embodiments thereof, it should be understood that there may be otherembodiments which fall within the scope of the invention as defined bythe following claims. Where a claim, if any, is expressed as a means orstep for performing a specified function, it is intended that such claimbe construed to cover the corresponding structure, material, or actsdescribed in the specification and equivalents thereof, including bothstructural equivalents and equivalent structures, material-basedequivalents and equivalent materials, and act-based equivalents andequivalent acts.

What is claimed is:
 1. A computer-implemented method for authenticatingan identity of a person using an electronic device connected to anetwork, comprising: inputting via a first input component of theelectronic device, first information regarding the identity of theperson; scanning via a second input component of the electronic device,at least one document associated with the identity of the person;utilizing the scanned at least one document to verify the identity ofthe person; electronically retrieving by the electronic device from adata source, second information relating to the identity of the person;presenting at least one question to the person based on the secondinformation; soliciting, from the person, an answer to the at least onequestion; authenticating the identity of the person by analysis of theanswer; and upon authentication of the identity of the person,electronically collecting via a third input component of the electronicdevice, biometric data to be used for future authentication of theidentity of the person.
 2. The computer-implemented method as recited inclaim 1, wherein the electronic device formats the second information asthe at least one question.
 3. The computer-implemented method as recitedin claim 1, wherein the electronic device comprises a kiosk device. 4.The computer-implemented method as recited in claim 1, wherein the datasource is coupled to the electronic device via the network.
 5. Thecomputer-implemented method as recited in claim 1, wherein the datasource comprises a third-party database.
 6. The computer-implementedmethod as recited in claim 1, wherein the data source comprises adatabase.
 7. The computer-implemented method as recited in claim 1,further comprising generating an identification token containing thirdinformation based on the biometric data.
 8. The computer-implementedmethod as recited in claim 7, further comprising embedding theidentification token on a tangible medium.
 9. The computer-implementedmethod as recited in claim 1, wherein electronically collecting thebiometric data includes scanning a fingerprint of the person via thethird input component.
 10. The computer-implemented method as recited inclaim 1, wherein electronically collecting the biometric data includesscanning an iris of the person via the third input component.
 11. Thecomputer-implemented method as recited in claim 1 , wherein theelectronic device performs analysis of the answer.
 12. A computerizeddevice configured for authenticating an identity of a person,comprising: a computer processor; a biometric input component; akeyboard input component coupled to the computer processor for inputtingthe identity of the person; a document scanning component coupled to thecomputer processor for scanning at least one document whereby thecomputer processor is instructed to verify the identity of the personbased upon first information captured from the scanned at least onedocument, whereby the computer processor is further instructed to:electronically retrieve from at least one data source, after theidentity of the person has been verified, second information relating tothe identity of the person; present at least one question soliciting ananswer relevant to the second information; authenticate the identity ofthe person by analysis of the answer; and upon successful authenticationof the identity of the person, collect biometric data via the biometricinput component.
 13. The computerized device as recited in claim 12,wherein the computerized device comprises a kiosk device.
 14. Thecomputerized device as recited in claim 12, wherein the at least onedata source comprises a database is networked coupled to thecomputerized device via a network.
 15. The computerized device asrecited in claim 12, wherein the at least one data source comprises athird-party database.
 16. The computerized device as recited in claim12, wherein the at least one data source comprises a database.
 17. Thecomputerized device as recited in claim 12, wherein the computerprocessor is further instructed to generate an identification tokencontaining third information based on the biometric data.
 18. Thecomputerized device as recited in claim 17, wherein the computerprocessor is further configured to embed the identification token on atangible medium.
 19. The computerized device as recited in claim 12,wherein electronically collecting the biometric data includes scanning afingerprint of the person via the biometric input component.
 20. Thecomputerized device as recited in claim 12, wherein electronicallycollecting the biometric data includes scanning an iris of the personvia the biometric input component.